ChallengeContext will be null with [Authorize] attribute

brentschmaltz · brentschmaltz · commit e5518e6fc258 · 2015-01-27T08:15:28.000-08:00
OpenIdConnect set Ticket.Principal, get identity from there.
diff --git a/src/Microsoft.AspNet.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs b/src/Microsoft.AspNet.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs
@@ -91,6 +91,7 @@ protected override async Task ApplyResponseGrantAsync()
                 {
                     ProtocolMessage = openIdConnectMessage
                 };
+
                 await Options.Notifications.RedirectToIdentityProvider(notification);
 
                 if (!notification.HandledResponse)
@@ -100,6 +101,7 @@ protected override async Task ApplyResponseGrantAsync()
                     {
                         _logger.WriteWarning("The logout redirect URI is malformed: " + redirectUri);
                     }
+
                     Response.Redirect(redirectUri);
                 }
             }
@@ -116,15 +118,30 @@ protected override void ApplyResponseChallenge()
         /// <returns></returns>
         protected override async Task ApplyResponseChallengeAsync()
         {
-            if ((Response.StatusCode != 401) || (ChallengeContext == null))
+            if (Response.StatusCode != 401)
+            {
+                return;
+            }
+
+            // Active middleware should redirect on 401 even if there wasn't an explicit challenge.
+            if (ChallengeContext == null && Options.AuthenticationMode == AuthenticationMode.Passive)
             {
                 return;
             }
 
             // order for redirect_uri
             // 1. challenge.Properties.RedirectUri
             // 2. CurrentUri
-            AuthenticationProperties properties = new AuthenticationProperties(ChallengeContext.Properties);
+            AuthenticationProperties properties;
+            if (ChallengeContext == null)
+            {
+                properties = new AuthenticationProperties();
+            }
+            else
+            {
+                properties = new AuthenticationProperties(ChallengeContext.Properties);
+            }
+
             if (string.IsNullOrEmpty(properties.RedirectUri))
             {
                 properties.RedirectUri = CurrentUri;
@@ -154,7 +171,6 @@ protected override async Task ApplyResponseChallengeAsync()
                 State = OpenIdConnectAuthenticationDefaults.AuthenticationPropertiesKey + "=" + Uri.EscapeDataString(Options.StateDataFormat.Protect(properties))
             };
 
-            // TODO - brentschmaltz, if INonceCache is set should we even consider if ProtocolValidator is set?
             if (Options.ProtocolValidator.RequireNonce)
             {
                 openIdConnectMessage.Nonce = Options.ProtocolValidator.GenerateNonce();
@@ -179,7 +195,7 @@ protected override async Task ApplyResponseChallengeAsync()
                 string redirectUri = notification.ProtocolMessage.CreateAuthenticationRequestUrl();
                 if (!Uri.IsWellFormedUriString(redirectUri, UriKind.Absolute))
                 {
-                    _logger.WriteWarning("The authenticate redirect URI is malformed: " + redirectUri);
+                    _logger.WriteWarning("Uri.IsWellFormedUriString(redirectUri, UriKind.Absolute) returned 'false', redirectUri is: " + (redirectUri ?? "null"));
                 }
 
                 Response.Redirect(redirectUri);
diff --git a/src/Microsoft.AspNet.Security/Infrastructure/AuthenticationHandler.cs b/src/Microsoft.AspNet.Security/Infrastructure/AuthenticationHandler.cs
@@ -77,9 +77,12 @@ protected async Task BaseInitializeAsync(AuthenticationOptions options, HttpCont
             if (BaseOptions.AuthenticationMode == AuthenticationMode.Active)
             {
                 AuthenticationTicket ticket = await AuthenticateAsync();
-                if (ticket != null && ticket.Identity != null)
+                if (ticket != null)
                 {
-                    SecurityHelper.AddUserIdentity(Context, ticket.Identity);
+                    if ( ticket.Identity != null)
+                        SecurityHelper.AddUserIdentity(Context, ticket.Identity);
+                    else if (ticket.Principal != null)
+                        SecurityHelper.AddUserIdentity(Context, ticket.Principal.Identity);
                 }
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,7 @@ protected override async Task ApplyResponseGrantAsync()`
`91`	`91`	`{`
`92`	`92`	`ProtocolMessage = openIdConnectMessage`
`93`	`93`	`};`
	`94`	`+`
`94`	`95`	`await Options.Notifications.RedirectToIdentityProvider(notification);`
`95`	`96`
`96`	`97`	`if (!notification.HandledResponse)`
`@@ -100,6 +101,7 @@ protected override async Task ApplyResponseGrantAsync()`
`100`	`101`	`{`
`101`	`102`	`_logger.WriteWarning("The logout redirect URI is malformed: " + redirectUri);`
`102`	`103`	`}`
	`104`	`+`
`103`	`105`	`Response.Redirect(redirectUri);`
`104`	`106`	`}`
`105`	`107`	`}`
`@@ -116,15 +118,30 @@ protected override void ApplyResponseChallenge()`
`116`	`118`	`/// <returns></returns>`
`117`	`119`	`protected override async Task ApplyResponseChallengeAsync()`
`118`	`120`	`{`
`119`		`- if ((Response.StatusCode != 401) \|\| (ChallengeContext == null))`
	`121`	`+ if (Response.StatusCode != 401)`
	`122`	`+ {`
	`123`	`+ return;`
	`124`	`+ }`
	`125`	`+`
	`126`	`+ // Active middleware should redirect on 401 even if there wasn't an explicit challenge.`
	`127`	`+ if (ChallengeContext == null && Options.AuthenticationMode == AuthenticationMode.Passive)`
`120`	`128`	`{`
`121`	`129`	`return;`
`122`	`130`	`}`
`123`	`131`
`124`	`132`	`// order for redirect_uri`
`125`	`133`	`// 1. challenge.Properties.RedirectUri`
`126`	`134`	`// 2. CurrentUri`
`127`		`- AuthenticationProperties properties = new AuthenticationProperties(ChallengeContext.Properties);`
	`135`	`+ AuthenticationProperties properties;`
	`136`	`+ if (ChallengeContext == null)`
	`137`	`+ {`
	`138`	`+ properties = new AuthenticationProperties();`
	`139`	`+ }`
	`140`	`+ else`
	`141`	`+ {`
	`142`	`+ properties = new AuthenticationProperties(ChallengeContext.Properties);`
	`143`	`+ }`
	`144`	`+`
`128`	`145`	`if (string.IsNullOrEmpty(properties.RedirectUri))`
`129`	`146`	`{`
`130`	`147`	`properties.RedirectUri = CurrentUri;`
`@@ -154,7 +171,6 @@ protected override async Task ApplyResponseChallengeAsync()`
`154`	`171`	`State = OpenIdConnectAuthenticationDefaults.AuthenticationPropertiesKey + "=" + Uri.EscapeDataString(Options.StateDataFormat.Protect(properties))`
`155`	`172`	`};`
`156`	`173`
`157`		`- // TODO - brentschmaltz, if INonceCache is set should we even consider if ProtocolValidator is set?`
`158`	`174`	`if (Options.ProtocolValidator.RequireNonce)`
`159`	`175`	`{`
`160`	`176`	`openIdConnectMessage.Nonce = Options.ProtocolValidator.GenerateNonce();`
`@@ -179,7 +195,7 @@ protected override async Task ApplyResponseChallengeAsync()`
`179`	`195`	`string redirectUri = notification.ProtocolMessage.CreateAuthenticationRequestUrl();`
`180`	`196`	`if (!Uri.IsWellFormedUriString(redirectUri, UriKind.Absolute))`
`181`	`197`	`{`
`182`		`- _logger.WriteWarning("The authenticate redirect URI is malformed: " + redirectUri);`
	`198`	`+ _logger.WriteWarning("Uri.IsWellFormedUriString(redirectUri, UriKind.Absolute) returned 'false', redirectUri is: " + (redirectUri ?? "null"));`
`183`	`199`	`}`
`184`	`200`
`185`	`201`	`Response.Redirect(redirectUri);`
Original file line number	Diff line number	Diff line change
`@@ -77,9 +77,12 @@ protected async Task BaseInitializeAsync(AuthenticationOptions options, HttpCont`
`77`	`77`	`if (BaseOptions.AuthenticationMode == AuthenticationMode.Active)`
`78`	`78`	`{`
`79`	`79`	`AuthenticationTicket ticket = await AuthenticateAsync();`
`80`		`- if (ticket != null && ticket.Identity != null)`
	`80`	`+ if (ticket != null)`
`81`	`81`	`{`
`82`		`- SecurityHelper.AddUserIdentity(Context, ticket.Identity);`
	`82`	`+ if ( ticket.Identity != null)`
	`83`	`+ SecurityHelper.AddUserIdentity(Context, ticket.Identity);`
	`84`	`+ else if (ticket.Principal != null)`
	`85`	`+ SecurityHelper.AddUserIdentity(Context, ticket.Principal.Identity);`
`83`	`86`	`}`
`84`	`87`	`}`
`85`	`88`	`}`